Daily Archives: February 11, 2022

Yet Another Israeli Malware Manufacturer Found Selling To Human Rights Abusers, Targeting iPhones

Posted on by

[…]

Candiru — another Israeli firm with a long list of questionable customers, including Uzbekistan, Saudi Arabia, United Arab Emirates, and Singapore.

Now there’s another name to add to the list of NSO-alikes. And (perhaps not oddly enough) this company also calls Israel home. Reuters was the first to report on this NSO’s competitor’s ability to stay competitive in the international malware race.

A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.

QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.

Like NSO, QuaDream sold a “zero-click” exploit that could completely compromise a target’s phones. We’re using the past tense not because QuaDream no longer exists, but because this particular exploit (the basis for NSO’s FORCEDENTRY) has been patched into uselessness by Apple.

But, like other NSO competitors (looking at you, Candiru), QuaDream has no interest in providing statements, a friendly public face for inquiries from journalists, or even a public-facing website. Its Tel Aviv office seemingly has no occupants and email inquiries made by Reuters have gone ignored.

QuaDream doesn’t have much of a web presence. But that’s changing, due to this report, which builds on earlier reporting on the company by Haaretz and Middle East Eye. But even the earlier reporting doesn’t go back all that far: June 2021. That report shows the company selling a hacking tool called “Reign” to the Saudi government. But that sale wasn’t accomplished directly, apparently in a move designed to further distance QuaDream from both the product being sold and the government it sold it to.

[…]

Reign is apparently the equivalent of NSO’s Pegasus, another powerful zero-click exploit that appears to still be able to hack most iPhone models. But it’s not a true equivalent. According to this report, the tool can be rendered useless by a single system software update and, perhaps more importantly, cannot be remotely terminated by the entity deploying it, should the infection be discovered by the target. This means targeted users have the opportunity to learn a great deal about the exploit, its deployment, and possibly where it originated

[…]

Source: Yet Another Israeli Malware Manufacturer Found Selling To Human Rights Abusers, Targeting iPhones | Techdirt

Indian govt aligned gang plants incriminating evidence on PCs in a very unsophisticated way

Posted on by

For the past decade, unidentified miscreants have been planting incriminating evidence on the devices of human-rights advocates, lawyers, and academics in India seemingly to get them arrested.

That’s according to SentinelOne, which has named the crew ModifiedElephant and described the group’s techniques and targets since 2012 in a report published on Wednesday.

“The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ – files that incriminate the target in specific crimes – prior to conveniently coordinated arrests,” said Tom Hegel, threat researcher at SentinelOne, in a blog post.

Hegel said the group has operated for years without attracting the attention of the cybersecurity community because of its limited scope of operations, its regionally-specific targeting, and its relatively unsophisticated tools.

ModifiedElephant prefers phishing with malicious Microsoft Office attachments to attack targets, and infect them with Windows malware.

In 2013, its messages relied on executable file attachments with deceptive double extensions in the file name (eg filename.pdf.exe). After 2015, the group used .doc, .pps, .docx, .rar, and password protected .rar files. In 2019, its attack vector involved links to hosted malicious files, and the group is also said to have employed large .rar archives to avoid detection.

The gang was also observed throwing Android malware at victims.

“There’s something to be said about how mundane the mechanisms of this operation are,” said Juan Andrés Guerrero-Saade, threat researcher at SentinelOne and adjunct professor at Johns Hopkins SAIS, via Twitter. “The malware is either custom garbage or commodity garbage. There’s nothing technically impressive about this threat actor, instead we marvel at their audacity.”

[…]

SentinelOne does not explicitly state that ModifiedElephant acts on behalf of the Indian government but notes how the group’s activities are consistent with the government’s interests.

“We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases,” wrote Hegel.

According to the report, ModifiedElephant’s web infrastructure overlaps with Operation Hangover, a surveillance effort dating back to 2013 against targets of interest to Indian national security. The security firm also said that Wilson had been targeted by a second threat group, known as SideWinder [PDF], which has attacked government, military, and private sector organizations across Asia.

Hegel observes that SentinelOne last year reported on a threat actor operating in and around Turkey, dubbed EGoManiac, that planted incriminating evidence on the devices of journalists to support arrests made by the Turkish National Police.

Source: ModifiedElephant gang plants incriminating evidence on PCs • The Register